[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <optid.17166f2453.58DB1B68E62B9F448DF1A276B0886DF112DB5F35@EX2010.hammerofgod.com>
Date: Sat, 10 Apr 2010 18:00:23 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: "nick@...us-l.demon.co.uk" <nick@...us-l.demon.co.uk>, Full-disclosure
<full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds
> > Not the fault of PCI. Perhaps you should consider a better auditor.
>
> Ummmmm -- isn't the point that PCI is set up such that lowest (common
> denominator amongst) auditors are actually the ones that define what "PCI
> compliance" really is?
>
> As an earlier poster already pointed out, all the vaguely recent major credit
> card data theft cases have involved "fully PCI compliant" (as defined by that
> perpetrator's PCI auditors) card processors, etc...
While I have heard the same thing repeated many times, I've never found a credible source for the claim that "all breaches involved fully PCI compliant processors."
According to the 2009 Verizon Business Breach Report, 81% of the attack victims were not PCI compliant:
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
I trust the accuracy of a report compiled in a professional manner from actual breach data far more than I do random posts from anonymous users on the subject matter (not saying YOU are a random poster, Nick - I've developed respect for your opinions over the years).
While PCI compliance does not directly equate to the secure implementation of a system (or should I say "applicably secure" implementation) the existence of a standard has obviously contributed to end-of-the-day security. As technologists, we will always find a way around controls, and will always be able to point out weaknesses in a system. For example, the "firewall" requirement to physically separate PCI assets from other assets: One can "pass" this requirement by placing any qualifying firewall unit in between assets, even if all traffic is allowed through the firewall. The hope of course is that this is NOT done, but analysis of every firewall's ruleset is out of scope for PCI audits. It's the credit card industry's game, and if you want to play it, you have to follow their rules.
Far too often security is positioned in this highly technical, difficult to understand, "anything can be broken so why bother" approach. And while that is true at the detail level, starting off with the basics of least privilege and security in depth has proved to be the most successful method. I have made this statement about a million times. And the data seems to support this:
81% of victims were not PCI compliant.
83% of attacks were not highly difficult.
87% were considered avoidable through simple or intermediate controls.
99.9% of records were compromised from servers and applications (meaning, not clients).
It is one of the reasons I speak out so strongly against SOSs (snake oil salesmen) when they try to push short-cut methods or "magic formulas" or use pseudo-intellectual theory to postulate best practices. One such example is some Berkeley guy SANS always used to get "expert" contributions from (Schmidt or Schultz or something - I can't remember and I'm actually happy about that) who repeatedly said that inside attacks were where all the risk was, and that they accounted for the most or all breaches. Those who trusted that advice made bad decisions on their security (74% of attacks are external). Analysis of over 600 breaches spanning 5 years proves that - not armchair pontification.
And thus one see's the inherent danger in perpetuating rumors that "all assets were fully PCI compliant" in the absence of fact - people may very well "act" of that assertion. We could certainly spin it up nicely and add some flair to it by saying something like "the Verizon report shows that amazingly, a stunning 19% of all victims were *FULLY* PCI compliant and certified to do process highly sensitive financial and personal information by auditors who do NOTHING ELSE but deliver PCI compliance services, yet over 57 MILLION innocent lives were potentially exposed to identity theft, information disclosure, as well as a raging case of herpes."
So we can sit around and say "compliance is a waste of money" or we can say "if we want to make money by accepting credit cards, we have to comply with the industry's requirements. This will cost money in implementation, compliance, and certification. While doing this, we should focus on cost centers and expenses while ensuring that we take full advantage of the security benefits such a compliance framework offers."
t
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists